Re: compromised network

From: Lard van den Berg (
Date: 12/30/03

  • Next message: "Re: compromised network"
    To: "Dana Rawson" <>, <>
    Date: Mon, 29 Dec 2003 23:31:43 -0000

    I would externally disconnect your network (of course if this is possible -
    not always in age of e-commerce etc.) and build up your network from
    scratch. Depending on how many servres you have got it is a rather daunting
    task to find out what is infected and what isn't. Re-install OS systems and
    look at backups of logsfiles of the compromised ones to see if there any
    foodprints. You might want to leave a disinfected server inplace
    (disconnected though) for any legal steps you want to take. Installing an
    IDS system would be suggested in future.

    Lard van den Berg

    ----- Original Message -----
    From: "Dana Rawson" <>
    To: <>
    Sent: Friday, December 26, 2003 7:21 PM
    Subject: compromised network

    > Not sure where to start except by saying that my servers and router were
    compromised. Have locked down both servers and routers (at least I have
    attempted to do so) but what is the best way to verify that there is nothing
    rogue left active on the servers? Also, is there any legal action I should
    take (i.e. Do I alert any authorities)? It appears that my network was
    targeted by a server in california and individuals from Australia,
    Netherlands and the US were connecting using it as an ftp server. Was
    actually named "Revenge Server".
    > I just installed Ethereal and am currently capturing packets but am not
    really sure how to read this or if there is any easier way to monitor all
    things. ...And to actually know how to read it.
    > Will I be able to retrieve ip addresses from packets to match activity on
    my syslog and identify rogue traffic?
    > This is all new to me so I apologize if my questions don't make sense or
    my approach is illogical.
    > --------------------------------------------------------------------------
    > --------------------------------------------------------------------------


  • Next message: "Re: compromised network"